Abstract
Maintaining confidentiality of data is critical, particularly in need-to-know environments. Dissemination of classified data must be controlled according to user clearance, and rests on the proper tagging of data to ensure appropriate access. The eXtensible Markup Language (XML) provides opportunity for tagging through its extensibility, and as a standard format for data storage, processing, and transmission. Its widespread usage covers a broad range of applications, especially in productivity software such as the Microsoft Office suite. This paper describes the UI Tags Project which presents a strategy for imposing security tags within Office Open XML (OOXML) format documents used with productivity suites. Leveraging the underlying XML of these document types enforces mandatory and attribute-based access control policies. Project development goals include a comprehensive system based on a native XML database which allows users to upload new documents as well as read, edit, or delete existing documents, and controls for derivative classification.
This is a preview of subscription content, log in via an institution.
References
Ecma, T.C.: Office Open XML (2006)
ISO/IEC 29500-1:2012 - Information technology – Document description and processing languages – Office Open XML File Formats – Part 1: Fundamentals and Markup Language Reference (2012). http://www.iso.org/iso/home/store/catalogue_ics/catalogue_detail_ics.htm?csnumber=61750. Accessed 30 October 2014
Bell, D.E., La Padula, L.J.: Secure computer system: Unified exposition and Multics interpretation (1976)
Lunt, T.F.: Polyinstantiation: an inevitable part of a multilevel world. In: 1991 Proceedings of Computer Security Foundations Workshop IV, pp. 236 –238 (1991)
Wiseman, S.: Lies, Damned Lies and Databases (1991)
Jin, X., Krishnan, R., Sandhu, R.: A unified attribute-based access control model covering DAC, MAC and RBAC. In: Cuppens-Boulahia, N., Cuppens, F., Garcia-Alfaro, J. (eds.) DBSec 2012. LNCS, vol. 7371, pp. 41–55. Springer, Heidelberg (2012)
Kuhn, D.R., Coyne, E.J., Weil, T.R.: Adding attributes to role-based access control. Computer 43(6), 79–81 (2010)
Wang, L., Wijesekera, D., Jajodia, S.: A logic-based framework for attribute based access control. In: Proceedings of the 2004 ACM Workshop on Formal Methods in Security Engineering, pp. 45–55 (2004)
Bobba, R., Fatemieh, O., Khan, F., Gunter, C.A., Khurana, H.: Using attribute-based access control to enable attribute-based messaging. In: 2006 22nd Annual Computer Security Applications Conference, ACSAC 2006, pp. 403–413 (2006)
Frikken, K., Atallah, M.J., Li, J.: Attribute-based access control with hidden policies and hidden credentials. IEEE Trans. Comput. 55(10), 1259–1270 (2006)
Cirio, L., Cruz, I.F., Tamassia, R.: A role and attribute based access control system using semantic web technologies. In: Meersman, R., Tari, Z. (eds.) OTM-WS 2007, Part II. LNCS, vol. 4806, pp. 1256–1266. Springer, Heidelberg (2007)
Ecma Technical Committee 45, “Office Open Xml Overview.” Ecma International (2006)
Standard ECMA-376 (2012). http://www.ecma-international.org/publications/standards/Ecma-376.htm. Accessed 30 June 2013
Khan, L., Wang, L., Rao, Y.: Change detection of XML documents using signatures. In: Proceedings of Workshop on Real World RDF and Semantic Web Applications (2002)
Peters, L.: Change detection in XML trees: a survey. In: 3rd Twente Student Conference on IT (2005)
Cobena, G., Abiteboul, S., Marian, A.: Detecting changes in XML documents. In: 2002 Proceedings 18th International Conference on Data Engineering, pp. 41–52 (2002)
Lindholm, T.: A three-way merge for XML documents. In: Proceedings of the 2004 ACM Symposium on Document Engineering, pp. 1–10 (2004)
Rönnau, S., Pauli, C., Borghoff, U.M.: Merging changes in XML documents using reliable context fingerprints. In: Proceedings of the Eighth ACM Symposium on Document Engineering, pp. 52–61 (2008)
Rönnau, S., Philipp, G., Borghoff, U.M.: Efficient change control of XML documents. In: Proceedings of the 9th ACM Symposium on Document Engineering, pp. 3–12 (2009)
Kerr, L.: Polyinstantiation in multilevel secure XML databases. MS Thesis, Department of Computer Science, University of Idaho, Moscow, Idaho (2012)
Executive Order 13526- Classified National Security Information | The White House (2009). http://www.whitehouse.gov/the-press-office/executive-order-classified-national-security-information. Accessed 22 October 2014
Amack, A.S.: Automating derivative classification in multi-level secure documents. MS Thesis, Department of Computer Science, University of Idaho, Moscow, Idaho (2014)
Bhaskar, D.V.: Software Design Specification for Storing Multilevel Secure XML for Easy Retrieval. University of Idaho, Moscow (2014)
Microsoft Corp. v. i4i Ltd. Partnership - Supreme Court (2010). http://www.supremecourt.gov/opinions/10pdf/10-290.pdf. Accessed 25 November 2014
eXistdb - The Open Source Native XML Database. http://exist-db.org/exist/apps/homepage/index.html. Accessed 22 October 2014
Berglund, A., Boag, S., Chamberlin, D., Fernandez, M.F., Kay, M., Robie, J., Siméon, J.: XML path language (xpath). In: World Wide Web Consort. W3C (2003)
XQuery 1.0: An XML Query Language (Second Edition) (2011). http://www.w3.org/TR/xquery/. Accessed 25 November 2014
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing Switzerland
About this paper
Cite this paper
Kerr, L. (2016). UI Tags: Confidentiality in Office Open XML. In: Haltinner, K., Sarathchandra, D., Alves-Foss, J., Chang, K., Conte de Leon, D., Song, J. (eds) Cyber Security. CSS 2015. Communications in Computer and Information Science, vol 589. Springer, Cham. https://doi.org/10.1007/978-3-319-28313-5_2
Download citation
DOI: https://doi.org/10.1007/978-3-319-28313-5_2
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-28312-8
Online ISBN: 978-3-319-28313-5
eBook Packages: Computer ScienceComputer Science (R0)